Outsourcing Regulation

Home / Regulatory Digest & Market Consultation / Regulatory digest / Outsourcing Regulation

REGULATORY DIGEST ON “OUTSOURCING REGULATION”

Background

In the current business environment, financial institutions are unceasingly facing challenges to reduce their overhead costs, enhance operational efficiencies, and improve their services. As a result, outsourcing of business activities has become an integral part of their operations (Deloitte, 2018).

Given the risk associated with outsourcing, the joint forum at BIS has put in place high-level principles about outsourcing that can guide regulated businesses and regulators. These principles for regulated institutions include among others; to have in place a comprehensive policy on outsourcing, having a comprehensive outsourcing risk management, ensuring that outsourcing does not impede effective supervision by regulators, conducting due diligence for service providers, having written contracts for outsourced activities, establishing and maintaining contingency plans, and ensuring that service providers protect confidential information.

On the other hand; regulators should take into account outsourcing activities as an integral part of their ongoing assessment of the regulated entity, assure outsourcing by regulated institutions does not humper their ability to meet regulatory requirements and the regulator should be aware of the potential risks posed where the outsourced activities of multiple regulated entities are concentration of regulated institutions to a limited number of service providers.

Currently, NBR has issued a new regulation N° 49/2022 of 02/06/2022 on outsourcing replacing the regulation n° 03/2018 of 24/01/2018 on outsourcing.  

Regulatory Key Highlights

The current regulation aims at establishing minimum prudent standards for all regulated institutions that outsource their material activities. It provides the pre-outsourcing conditions and prohibits regulated institutions to outsource financial services for which they obtained the license.

The regulation sets out the responsibility of the board of directors towards outsourcing and requires regulated institution to define the material activities to be outsourced setting out the factors that should be followed in assessing material activities (Art.6). The requirements for outsourcing material activities are detailed in chapter III of this regulation.

The regulation further requires regulated institutions to establish through the board and senior management, a risk management framework and it sets out the activities to be performed in this regard. In assessing the decision to outsource, the regulated institutions shall subject the service provider to appropriate due diligence processes to assess the risks associated with the outsourcing arrangements. Among others, the regulated institutions shall also have to assess and manage the conflict of interest, the exit strategy, confidentiality and security of non-public data.

Regulated institutions should also ensure that outsourcing activities do not affect the business continuity and do not impede the regulated institution or the supervisory authority from conducting audit or inspection of outsourced material activities.

Further, the regulation provides for outsourcing outside Rwanda and outsourcing within the group. While outsourcing outside Rwanda, the requirement of not locating primary data outside Rwanda has been removed however, regulated institution shall abide with other legal and regulatory requirements notably those applicable to cybersecurity and data protection and privacy (Art. 27). Note here mainly article 50 of the law Nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy. The current regulation has provided in its annex 1 examples of outsourcing arrangements to which this regulation applies and arrangements to which it does not.

Important deadlines

The regulated institution shall assess the materiality of all outsourced agreements prior to the time of the publication of this regulation, and shall seek approval of the Supervisory Authority to continue outsourcing these activities within 6 months after this regulation comes into force (Art. 29).

Implications for concerned stakeholders

The main implications of the current regulation on outsourcing are:

  • All regulated institutions should comply with the current regulation on outsourcing;
  • Regulated institutions shall maintain a register of all material outsourcing arrangements (Art 16)

Click here for more details:

https://www.bnr.rw/laws-and-regulations/other-laws-and-regulation/laws-regulations/